The complexity and stealthy nature of today's malware attacks make the task of securing computer systems a daunting one. The increased availability of malware techniques on the Internet has rapidly increased the frequency, number, and intricacy of attacks. Additionally, computer platforms and their applications continue to grow in complexity. While this complexity provides increased capabilities for users, it inherently leads to security vulnerabilities.
One approach to computer security is the use of hardware-based solutions that assign security functions to dedicated hardware. Because the functions on hardware are typically not directly accessible, it is difficult to change the hardware's security characteristics. Additionally, hardware-based security can reduce the overall performance penalty of monitoring while allowing real-time monitoring.
There are two approaches to hardware-based security: passive and active. Passive hardware can be useful for concealing secrets while performing security functions, but must be queried by the main system to be functional. Active hardware attempts to independently track the state of the system, and to report and correct abnormal behavior.
At a high level, active hardware monitors can be referred to as coprocessor intrusion detection systems (IDSs), and can be categorized as either loosely-coupled coprocessor IDSs or tightly-coupled coprocessor IDSs. Loosely-coupled IDSs do not reside at the same logical level as the host (monitored) processor, limiting the intrusiveness of the system as well as the data that it can access (e.g. cache, internal data buses, etc.). Tightly-coupled IDSs attempt to address the shortcomings of loosely-coupled IDSs by residing at the same or higher logical level as the host processor, allowing them equal or greater privileges than the host processor.
IDSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which may involve the IDS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack's content.
Another approach to computer security is the use of virtual machines (VMs) and virtual machine monitors (VMMs). VM technology allows an entire operating system (OS) to be “sandboxed”, limiting the effects that a compromised OS can have on the entire system. A VMM has control over the OS, providing numerous opportunities for system monitoring and malware prevention. VMMs have been developed that run on popular commodity OSs. They create a layer of software below the OS and tightly control the interfaces between the OS and VMM, reducing the ability of an attacker to subvert an entire system.
One of the flaws typically present in a host-based IDS is that advanced malware can subvert the IDS, rendering it ineffective. Moving the IDS to a VMM enables the detection of malware that would otherwise remain hidden. However, the complexity of the VMM and the fact that it is implemented in software still leave the possibility of subverting the system.